BC-11309 - ensure permission GROUP_FULL_ADMIN for all superheros and administrators (#6128)

* ensure permission GROUP_FULL_ADMIN is set for all superheros and administrators

Author: hoeppner-dataport

apps/server/src/migrations/mikro-orm/Migration20260216141637.ts

@@ -0,0 +1,70 @@
+import { Migration } from '@mikro-orm/migrations-mongodb';
+
+const config = {
+	superhero: {
+		old: [],
+		new: ['GROUP_FULL_ADMIN'],
+	},
+	administrator: {
+		old: [],
+		new: ['GROUP_FULL_ADMIN'],
+	},
+};
+
+export class Migration20260216141637 extends Migration {
+	private async addPermissions(roleName: string, permissions: string | string[]): Promise<void> {
+		if (typeof permissions === 'string') {
+			permissions = [permissions];
+		}
+		const roleUpdate = await this.getCollection('roles').updateOne(
+			{ name: roleName },
+			{
+				$addToSet: {
+					permissions: {
+						$each: permissions,
+					},
+				},
+			}
+		);
+
+		if (roleUpdate.modifiedCount > 0) {
+			console.info(`  Permission added to '${roleName}':\n    ${permissions.join(', ')}.\n`);
+		}
+	}
+
+	private async removePermissions(roleName: string, permissions: string | string[]): Promise<void> {
+		if (typeof permissions === 'string') {
+			permissions = [permissions];
+		}
+		const roleUpdate = await this.getCollection('roles').updateOne(
+			{ name: roleName },
+			{
+				// eslint-disable-next-line @typescript-eslint/ban-ts-comment
+				// @ts-ignore // MongoDB types are wrong here
+				$pull: {
+					permissions: {
+						$in: permissions,
+					},
+				},
+			}
+		);
+
+		if (roleUpdate.modifiedCount > 0) {
+			console.info(`  Permissions removed from '${roleName}':\n    ${permissions.join(', ')}.\n`);
+		}
+	}
+
+	public async up(): Promise<void> {
+		for (const [roleName, permissions] of Object.entries(config)) {
+			await this.removePermissions(roleName, permissions.old);
+			await this.addPermissions(roleName, permissions.new);
+		}
+	}
+
+	public async down(): Promise<void> {
+		for (const [roleName, permissions] of Object.entries(config)) {
+			await this.removePermissions(roleName, permissions.new);
+			await this.addPermissions(roleName, permissions.old);
+		}
+	}
+}

backup/setup/migrations.json

@@ -97,5 +97,14 @@
 		"created_at": {
 			"$date": "2026-02-02T12:44:13.220Z"
 		}
+	},
+	{
+		"_id": {
+			"$oid": "6993293e81878b214983a8e7"
+		},
+		"name": "Migration20260216141637",
+		"executed_at": {
+			"$date": "2026-02-16T14:27:10.822Z"
+		}
 	}
-]
+]

backup/setup/roles.json

@@ -138,14 +138,14 @@
 			"START_MEETING",
 			"JOIN_MEETING",
 			"GROUP_LIST",
-			"GROUP_FULL_ADMIN",
 			"SCHOOL_SYSTEM_EDIT",
 			"SCHOOL_SYSTEM_VIEW",
 			"USER_CHANGE_OWN_NAME",
 			"MEDIA_SCHOOL_LICENSE_ADMIN",
 			"SCHOOL_LIST_DISCOVERABLE_TEACHERS",
 			"SCHOOL_ADMINISTRATE_ROOMS",
-			"SCHOOL_LIST_ROOM_MEMBERS"
+			"SCHOOL_LIST_ROOM_MEMBERS",
+			"GROUP_FULL_ADMIN"
 		],
 		"__v": 2
 	},
@@ -203,15 +203,15 @@
 			"TOOL_EDIT",
 			"YEARS_EDIT",
 			"GROUP_LIST",
-			"GROUP_FULL_ADMIN",
 			"USER_CHANGE_OWN_NAME",
 			"ACCOUNT_VIEW",
 			"ACCOUNT_DELETE",
 			"USER_LOGIN_MIGRATION_FORCE",
 			"USER_LOGIN_MIGRATION_ROLLBACK",
 			"MEDIA_SOURCE_ADMIN",
 			"INSTANCE_EDIT",
-			"CAN_EXECUTE_INSTANCE_OPERATIONS"
+			"CAN_EXECUTE_INSTANCE_OPERATIONS",
+			"GROUP_FULL_ADMIN"
 		],
 		"__v": 2
 	},
@@ -221,7 +221,7 @@
 		},
 		"name": "teacher",
 		"updatedAt": {
-			"$date": "2025-07-31T12:29:47.091Z"
+			"$date": "2026-02-16T14:26:29.665Z"
 		},
 		"createdAt": {
 			"$date": "2017-01-01T00:06:37.148Z"
@@ -646,13 +646,6 @@
 		"name": "guestTeacher",
 		"permissions": []
 	},
-	{
-		"_id": {
-			"$oid": "68ece70b963025351f0a98c4"
-		},
-		"name": "guestExternalPerson",
-		"permissions": []
-	},
 	{
 		"_id": {
 			"$oid": "675abdb4e76b1142cd4c89e3"
@@ -702,5 +695,12 @@
 		},
 		"name": "roomapplicant",
 		"permissions": []
+	},
+	{
+		"_id": {
+			"$oid": "68ece70b963025351f0a98c4"
+		},
+		"name": "guestExternalPerson",
+		"permissions": []
 	}
 ]